The Payment Card Industry Security Standard Council (PCI SSC) has followed up the release of the PCI DSS v3.2.1 Standard on 17 May 2018 with updates to the supporting documents such as the self-assessment questionnaires (SAQ). Whilst the overall purpose of v3.2.1 was to provide ‘clarifications’ and not to introduce any new requirements to the Standard, the update to the SAQ A ‘Card-Not-Present Merchants and All Cardholder Data Functions Outsourced’ has an additional requirement (6.2) included.
SAQ A Requirement 6.2 requires merchants to ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches and that all critical security patches are installed within one month of release.
The PCI SSC has commented that this change is necessary to address current threats and compromises impacting e-commerce redirection servers. This is particularly important to merchants who are using the e-commerce payment channel and/or the Response. Redirect methods or embedded iFrames to direct cardholder data from the cardholder’s browser direct to the payment processor. Merchants will now need to ensure security patches are applied to their web server environment and that critical security patches are applied within 30 days to those servers.
If you would like to discuss how this addition impacts you please speak to your account manager.